Method and apparatus to define and justify policy requirements using a legal reference library

ABSTRACT

A computer-implemented system and method for defining and justifying policy requirements includes: a hierarchical regional mapping (HRM) module provides a common language and a hierarchical model for geography and for jurisdictions; a legal references library (LRL) module contains applicable legal references; a legal references policy mapping (LRPM) module maps legal references to policies; and a requirements cross-checking (RCC) module cross-checks information in the legal references policy mapping module.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to methods and apparatus using software forgovernance of organization policies.

2. Prior Art

Previously, data for policy governance was usually maintained usingspreadsheets, in which legal references relating to policies were byname and which quickly got out of date. More complete libraries of legalreferences were available but were focused only on managing those legalreferences and are not focused on policy development, policy crossreferences, or analysis. Also, they usually contain a large subset ofall legal references applicable in a large jurisdiction, and are nottuned, formatted or tagged to reflect the need of corporations, butinstead reflect the needs of the law services consulting companies thatprovide services to these corporations. Codification of jurisdictionalcoverage is often different between publishers of legal references andlegal consultants. Organizations and companies are often left with theirown resources to derive policies in an ad-hoc manner, which oftenresults in partial, inefficient, or unreliable execution of legalprocesses. This puts an organization at greater risk of being unable tojustify their policies when challenged so that they may incur fines,penalties, reprimands, or other public relationship embarrassments, allof which can seriously impact company business.

SUMMARY OF THE INVENTION

The present invention reduces the risk and costs associated with thedefinition, justification and defense of any company policies based onlegal references provided by any law, rule, guideline, or other legalrequirement. First, it enables a more thorough, quicker, and cheaperprocess to identify relevant legal references by matching relatedgeographic areas of application. Second, it greatly simplifies theprocess of identifying potentially conflicting or disparate requirementsfrom different legal references in order to facilitate the decisionprocess regarding which requirements should be explicitly followed.Third, it provides more robust documentation and tracking of thedecisions that were made, and can assist in preventing and detectinginconsistencies or human errors during that process. As a result, anyorganization taking advantage of the present invention will benefit fromhaving a cheaper, faster, and more reliable process to define andmaintain policies requirements, which in turn decrease exposure fromnon-compliance. The present invention also provides more consistent anddefensible documentation for the justification for policies andsignificantly reduces risk in case of legal challenges to thosepolicies.

The present invention provides a computer-implemented system and methodfor defining and justifying policy requirements. A hierarchical regionalmapping (HRM) module provides a common language and a hierarchical modelfor geography and for jurisdictions. A legal references library (LRL)module contains applicable legal references. A legal references policymapping (LRPM) module maps legal references to policies. A requirementscross-checking (RCC) module cross-checks information in the legalreferences policy mapping module.

According to various aspects of the invention, the legal referencespolicy mapping (LRPM) module: provides for creating and maintaining alist of legal references that apply to a given policy; provides foridentifying which type of requirement for a given policy is influencedby a given legal references; and provides which of the legal referencesare to be controlling for a given policy.

According to various other aspects of the invention, the requirementscross-checking (RCC) module provides for creating and maintaining amodel of the dependencies and compatibility between structuredparameters used to describe each category of requirements; provides,within each category of requirements, consolidation of all controllingrequirements and comparison of them to a policy requirement using anunderstanding of the relationships between parameters and options;provides, within each category of requirements, consolidation of the sumof all requirements to allow easy review and evaluation of thecompromises that were made between the policy requirement and the sum ofall requirements that were applicable; and provides cross-checking of ageographic region and jurisdiction associated with a policy and itsrelated legal references to detect inconsistency that would uncoverhuman error.

According to various other aspects of the invention, the hierarchicalregional mapping (HRM) module provides representation of the differentjurisdictions and sub-jurisdictions that an organization operates in andrepresentation of regulatory or governing bodies within the differentjurisdictions; and provides an explicit naming/referencing scheme inwhich nodes are specified by a hierarchical path.

According to various other aspects of the invention, the legalreferences library (LRL) module provides for each legal reference ageographic region or jurisdiction that the reference applies to asdefined by one or more nodes within a hierarchy defined by the HRMmodule; and provides for each reference a classification tag thatreflects the source of a requirement and the domain of application ofthe requirements within the organization.

According to various other aspects of the invention the domain ofapplication includes one or more of the following: preservationrequirements, retention, data privacy, or security designations.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part ofthis specification, illustrate embodiments of the invention and,together with the description, serve to explain the principles of theinvention:

FIG. 1 is an overall system diagram illustrating a system for definingand justifying policy requirements using a legal reference library.

FIG. 2 is a diagram illustrating a hierarchical regional mapping module(HRM) and its interaction with a module for a common language and amodel for geography and jurisdictions.

FIG. 3 is a diagram illustrating a legal reference library module (LRL)and its interaction with a legal reference module.

FIG. 4 is a diagram illustrating a legal reference to policy mappingmodule (LRPM) and its interaction with a module for mapping of legalreferences to policies.

FIG. 5 is a diagram illustrating a requirement cross check module (RCC)and it interaction with the module for mapping of legal references topolicies.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Reference is now made in detail to preferred embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings. While the invention is described in conjunction with thepreferred embodiments, it will be understood that they are not intendedto limit the invention to these embodiments. On the contrary, theinvention is intended to cover alternatives, modifications andequivalents, which may be included within the spirit and scope of theinvention as defined by the appended claims.

In the current global economy, any organization, enterprise, publicagency, etc.—herein after referred to as “the company”—must define,justify, implement and insure compliance with a broad range of policies.Depending on its size, its scope of activity, and the differentjurisdictions that it operates in, the company may need to definethousands, if not tens of thousands, of different instances of policies.Some of these policies are likely to be challenged by other parties,either regulators, government agencies, shareholders, current and pastemployees, or other third parties. It is in the best interest of thecompany to use a precise, efficient, and defensible process to defineand justify its policies. This process should fulfill several needs. Oneneed is to document those legal references that are used as referencesor sources for justifying a policy. Note that in this context, “legalreference” is used as a generic term to encompass any law texts,opinions on law texts, other internal company protocols or practices, orany other reference used to justify some or all aspects of a policy. Theprocess should help to quickly identify which legal references arerelevant to a specific policy. The process should document which aspectof a policy is governed by specific related legal references. Theprocess should document which specific legal references that the companyselects as governing in those cases where the requirements of differentlegal references are conflicting or open to various interpretations. Theprocess should proactively detect potential inconsistencies or otherhuman errors when compiling legal requirements into policy requirements.The present invention provides a process and a computer-implementedsoftware tool for enabling and supporting the efficient and reliableexecution of this process.

FIG. 1 shows an overview of a system 10 and a process for defining andjustifying policy requirements. The system 10 and process has fourdifferent data units that represent data created by four modules. Acommon language/jurisdiction data unit 12 provides information to alegal references library data unit 14 and to a policies data unit 16. Amapping data unit 18 maps legal references to policies. The commonlanguage/jurisdiction data unit 12 provides for the creation andmaintenance of a common language and also provides a model to describegeographical areas of application for legal references and policies.

The four modules includes a hierarchical region mapping module (HRM) 20defines a common hierarchy of jurisdiction or other geographic areasthat are used to define the scope of application of all legal referencesand policies. A legal reference library module (LRL) 22 captures,manages, and maintains the definitions of all legal references that thecompany may need to refer to in order to define and justify itspolicies. A legal reference to policy mapping module (LRPM) 24 is usedto define the relationship between any policy and its related legalreferences. A requirement cross check module (RCC) 26 performs crosscheck validation of the requirements defined in all related legalreferences against the requirements defined in the policy that they arerelated to, with the purpose of detecting inconsistency and minimizingerrors. Some of the validations are performed automatically, others areassisted by the tool but may require human judgment to complete thevalidation. Validation includes change management and analytics as wellas audits.

Laws and regulations apply only within the jurisdiction of the agency orgoverning body that has defined them, for example, all countries of theEuropean Union, a specific country, or a specific U.S. state. Similarly,policies usually apply only within a specific geographical region,country, state, or some arbitrary region defined by the company, suchas, for example, “North East Asia”. To insure that policies and legalreferences are properly defined and to insure that proper legalreferences are used to justify their matching policies, it is veryimportant to make sure their geographical regions of application areconsistent. It is difficult to do that if the scopes of application aredefined using different terminology. The hierarchical region mappingmodule (HRM) 20 unifies them into a single hierarchy of all applicable“geographic” regions, either jurisdiction-based or geography-based, inthe common language/jurisdiction data unit 12. The hierarchical regionmapping module (HRM) makes comparisons and validation easy and reliable.

The legal references library LRL module 22 provides creation,management, and maintenance of a legal reference data library 14, or ofa list of legal references, that contains all applicable legalreferences. This library allows user to define and track the legalreferences and some of the key properties of those legal references. Oneproperty is the geographic area of application, based on a definedmodel. Another property is the use of structured definitions of legalreference requirements. In this context, a structured definition is usedin the sense of a definition whose semantic meaning can be understood bya software application as the sum of fields, numeric values, options,and other codified semantic information that can be compared, ordered,or otherwise automatically processed by a software application. This isin contrast to a human readable description, such as, for example, freeform text using English sentences, which are easily understood by aperson but have no meaning for a software application. Links areprovided to other related legal references that define similarrequirements in the same or related geographic area of application.

The Legal References Policy Mapping (LRPM) module 24 defines, manages,and maintains a mapping between legal references and policies in themapping and legal references data unit 18, while tracking specificproperties. One property includes geographic areas of application of thepolicies, based on the above defined model. Another property is thedefinition of the applicable requirements such that a related legalreference may define a broad set of requirements, but when applied to aspecific policy, only certain of these requirements will truly apply inthe context of that policy. Another property is the definition of thegoverning requirements, also called “trumping legal references.” Out ofall the applicable requirements defined by the combined related legalreferences, some may conflict and some may be judged as being tooconstraining or less applicable. Consequently the policy requirement arebased on only a subset of all applicable requirements called thegoverning requirements of the governing legal references, while theother requirements are tracked for reference, but are trumped, so tospeak, by the governing requirements.

The Requirement Cross Check (RCC) module 26 provides for cross-checkingand validation of all applicable and governing requirements from relatedlegal references against the requirement of their matching policy, toinsure consistency and detect any human errors. This module alsoprovides for change control throughout the process to deal with changes.These changes include a number of aspects, including: creation orremoval of legal references, from either the library, the policies, orthe process; replacing an existing legal reference by a new legalreference; changes to the definition of a legal reference, including anyrequirement or its geographic area of application; changes to ageographic area of policy application, including any refinement orfurther breakdown of existing policy in more specific geographic areasof application, such as, for example, breakdown down of U.S. federalpolicy into U.S. states policies; and changes to the trumping legalreferences.

Hierarchical Region Mapping Module (HRM)

With reference to FIG. 2, the hierarchical region mapping module (HRM)20 provides the ability to create and maintain a single common hierarchyof geographies and jurisdictions using a create/edit function 20 a. TheHRM module 20 also includes a browse and search function 20 b. The HRMmodule 20 represents all of the different jurisdictions 32 in which thecompany operates, including, but not limited to, countries, sub-regionwithin countries (like US states), sub-regions within the sub-region(like US counties), any further sub level as appropriate(sub-sub-sub-region, etc.), or any level of macro-jurisdiction asfederation of countries (like the European Union) based on internationaltreaties. The HRM module 20 represents all regulatory or governing bodyor agencies 34 that control laws or regulations in those jurisdictions.

The HRM module 20 provides the semantics of jurisdiction inheritancethat makes it possible to determine a list of all jurisdictions withinwhich the laws for that jurisdiction apply. For example, laws publishedby a European EU agency are defined in the jurisdiction of the EU, andconsequently apply (under the proper treaty) in any EU country and anysub-jurisdiction within any of those countries. As another example, U.S.federal laws by default apply to all U.S. states and to all U.S.counties.

The HRM module 20 represents any arbitrary geographic region 38 definedas the union of multiple existing geographic regions or jurisdictions,or a sub-region of an existing geographic region or jurisdiction. Thesegeographic regions are typically be specific to the business of thecompany and reflect the fundamental organization of the activity of thecompany, in different sales regions, or any other business drivengeography. For example, the company may have divided their US sales intoa few regions like: “East Coast,” “West Coast” and “Central”. Suchregions are typically defined as a specific list of U.S. states. Asanother example, the company may have divided its worldwide salesactivity into regions, one of them being “North East Asia,” defined as alist of countries in North East Asia, such as, for example, Japan, SouthKorea, and Taiwan. The company may not track jurisdiction at agranularity smaller than the state of California, but it may havedifferent branches or sales organization in 3 sub-division of Californiasuch as “South”, “Central”, and “North”.

The HRM module 20 provides an explicit naming/referencing scheme so thateach node in the hierarchy is named or referenced as a unique node byspecifying a complete hierarchical path, starting with a country, or ageographical region or jurisdiction equivalent to the union of multiplecountries.

The HRM module 20 insures that all other modules are able to describewhere policies and their justifications apply in a fully consistentmanner, worldwide, for any type of policy that is either driven byexternal governing agencies or that is driven by internal companybusiness drivers.

Legal Reference Library Module (LRL)

With reference to FIG. 3, the legal reference library 14 provides acentral common repository for all legal references that may be relevantto define, support, relate to, or justify any company policy, process,or practice. The LRL module 22 tracks the various properties for eachlegal reference. One property includes the geographic region orjurisdiction that a legal reference applies to, where the geographicregion or jurisdiction is defined as one node or multiple nodes withinthe hierarchy defined by the HRM module 20. By leveraging the unifiedhierarchy provided by the HRM 20, the LRL 22 makes it easy to identifyany applicable legal references for any given region or jurisdictionwithout any of the usual confusion or uncertainty encountered with usualsystems where legal references are kept in different repository, using adifferent geographic hierarchy. The residence of the data or individualcan be used to determine the geography and therefore an applicable legalreference and policy.

Classification tags are provided that reflects different fundamentalaspects of a legal reference and that include: the category for thesource of a requirement, including but not limited to laws orregulations from regulatory or governing bodies and agencies; opinionsthat are interpretation of laws or regulations from legal experts basedon case law or other legal analysis; and internal protocols, or internalrequirements defined within the company itself, that behaves as internallaws of the company.

While in common cases legal reference usually belong only to a singlecategory of sources of requirements because they are usually mutuallyexclusive, legal references can sometimes belong to multiple categories.

The domain of application of the requirements within the company,includes, but is not limited to the following: preservation in thecontext of legal holds related to E-Discovery; retention both in term ofregulatory requirements and internal business requirements; and dataprivacy, or personal data protection, security, or enforcement ofconfidentiality and security regulation, or business drivenconfidentiality and security requirements such as trade secrets. Notethat a legal reference can very well define requirements for multipledomains of application.

The level of risk is associated with non compliance. While someregulations have existed for a long time, they may never have beenenforced in practice. Other regulations are regularly and aggressivelyenforced, with certain agencies being especially proactive with regardto using the full extent of the law and with generating strong negativepublic relations (PR) for violators.

Other classifications arise that are related to the originator of therequirements, or the requirements themselves and provide useful contextin their use within the company. These other classifications may bespecific to the business of the company, for example: A large governmentcontractor may pay special attention to government contractorregulations and be interested in culling out all legal referencesrelated to this topic Classification tags make it much easier andsimpler for end users to narrow down their search when looking forapplicable requirements within a certain context. They help simplify andhumanize often complex legal numbering schemas and languages. They canalso be used to perform consistency checks and to automatically flagpotential errors.

Requirement definitions, broken down in specific categories, include butare not limited to: Retention rules include any rules related to whenand under which condition the relevant information should be disposedof, or how long and under which condition it should be maintained. Suchretention rules may vary based on the type of document considered, inthe sense of official records, versus draft or courtesy copy.

Disposal protocols specify how the information should be disposed ofwhen its retention period expires, includes the means for and thethoroughness of a destruction process, details process steps in the caseof a multi-step disposal process, security, audit and confidentialityrequirement in the handling of the disposal process, etc. Handlingprotocols specify who can access or use the information for whatpurpose, using an Access Control List or other access control processes,or Security Level Classifications, etc. Storage protocols specify anyrestrictions on where and how the information should be stored,encryption requirements, etc. Transport protocols specify any processrequirements on how to move or copy the data between different storagesystems.

It is to the benefit of the company to codify these protocols into asmall number of reference protocols, and describe them by reference to acodified version versus including a full description of the protocolpotentially different for every legal reference or policy. Thiscodification makes it much easier to interpret the semantic meaning ofthe requirement automatically and to provide automatic cross-checkingand detection of inconsistencies. Codification improves readability fornon legal experts. Codification makes it easier to summarize multiplerequirements for a single system or class of information. Codificationmakes it easier to changes the details of one of these protocolsconsistently independently of which legal references use it. Examples ofsuch codification include retention rules and disposal protocols.Retention rules are defined as sets of a generic rule selected from alist of options (like “permanent”, “Fixed time”, “Trigger event+fixedtime”) combined with various parameters as needed (like duration,trigger event). Disposal protocols are defined as a choice form acodified list of applicable options (for example: “Trash”, “Shredding”,“Shred and burn”, etc.).

Related legal references are often defined in the law text themselves.Capturing those related legal references in the LRL module enables:easier and faster cross reference during research; simplification ofcross-referencing and cross-inclusion of legal references (with relatedlegal references) when applicable; insuring that all applicable legalreferences are indeed tracked within the LRL; determination of trumpinglegal references.

The LRL module 22 also provides full search capabilities leveraging allof the detailed information and context on each legal reference to makeit easy for an end user to identify relevant legal references in anygiven context. Details of the search capabilities correspond to the datamodel captured above, and leveraging the capability of the HRM module toidentify all applicable jurisdictions upstream or downstream from aspecific geography, such as, for example, any laws that can apply to anypart of Germany, or all laws applying to a specific sub-region ofGermany.

Legal Reference to Policy Mapping Module (LRPM)

With reference to FIG. 4, the legal reference to policy mapping module(LRPM) 24 provides several capabilities.

One capability of the LRPM 22 is creation and maintenance 50 of the listof legal references 52 that apply to any given policy 54. In order toidentify which legal references may be relevant to which policy, theuser will typically leverage multiple sources, including but not limitedto: known relevant legal references already attached to similar policy,or same policy as globally defined within a larger jurisdiction (like aglobal policy for the US, compared to a local policy for justCalifornia); potentially relevant policy identified as the result ofresearch using the full search capability of the LRL module, asdescribed above; and legal references related to legal referencesalready attached to a policy, as defined by the LRL module.

Another capability of the LRPM 22 is to identify 56 which type ofrequirement for a given policy may be influenced by a given legalreference. This is directly aligned with the requirement categorizationused by the LRL module, including but not limited to: retention rules;disposal protocols; handling protocols; storage protocols; and transportprotocols. This type of mapping is established in different ways,including but not limited to the following: Automatic mapping that isbased on which requirements were defined or not defined in the LRLmodule for that legal reference. Automatic mapping that is based onwhich classification tags 58 were defined for that legal reference inthe LRL module (a retention tagged legal reference should impactretention rules; a privacy tagged legal reference should impact handlingand storage protocols, etc.); Explicit mapping by the user, who willdesignate which of the requirement categories of the policy will beimpacted by the given legal reference, including the ability tooverwrite the automated mapping described above.

Another capability of the LRPM 22 is to define which of the legalreferences and optionally, which of their requirements, are considered“controlling” for that policy. This sets the expectation that therequirements defined in the policy should be guided by the controllinglegal references, even if some of the other applicable requirements maybe even stricter or not really compatible with them. This is especiallyuseful as while policymaker wants to keep track of all legal referencesthat could apply to a given policy, they will often need to make somecompromise on how they interpret the sum of these requirements. Forexample, this is the case where requirements: are stricter than shouldreasonably need to be followed; apply within a geography or jurisdictionwhere the activity (and consequently the exposure) of the company isvery limited; have never been enforced by their governing body or agencyin the past; or are conflicting with other requirements for which therisk is much greater.

By aggregating in a highly structured form a clear definition of therelationships and priorities of the different requirements of differentlegal references, as they apply to a given policy, the LRPM module 24provides the very foundation that will enable the RCC module to performits function; enables the policy makers to clearly document thedecisions and compromises made during the process of determining thepolicy requirements; makes it much easier to defend that process ifchallenged later; and makes it much easier to maintain that processaccurately as legal references and business context continue to evolveover time.

Requirement Cross Check Module (RCC)

With reference to FIG. 5, the requirement cross check module (RCC)module 26 includes a requirement parameter cross-check function 26 a, atrumping requirements cross-check function 26 b, a requirementconsolidation and audit function 26 c, and a geographic and cross-checkfunction 26 d. The requirement cross check (RCC) module 26 providesseveral capabilities.

One capability is to create and maintain a model of the dependencies andcompatibility between the structured parameters 44 used to describe eachcategory of requirements. An illustrative examples of this includes thedisposal protocol requirements for ESI (Electronically StoredInformation) may specify 3 options, including simple deletion; digitalshredding; and physical destruction of the storage medium. The 3 optionscan clearly be ordered by increasing levels of enforcement, in the sensethat any requirement for simple deletion or digital shredding would beimplicitly fulfilled through physical destruction of the storage medium.The ability to represent and understand this order of prevalence betweenoptions is key for the RCC module to process the semantic meaning of therequirements, and insure consistency and compliance.

Another capability, as described above, is that a retention rule may bedefined as sets of a generic rule selected from a list of options (like“permanent”, “Fixed time”, “Trigger event+fixed time”) combined withvarious parameters as needed (like duration, trigger event). The abilityto understand any implication or inclusion between trigger events (inthe sense that occurrence of event A implies that event B alreadyoccurred), ability to compared different periods and how to combinethose and compare them based on which generic rule applies, would allowthe RCC module to compare different retention rules from various legalreferences and conclude if they appear indeed compatible or not with theresulting policy retention rules.

Within each category of requirements, the RCC module 26 consolidates allcontrolling requirements 60 and compares them to the policy requirement,using the above defined understanding of relationship between theparameters and options. This may be done in a fully automated way (whenfull semantic interpretation of the requirement description can beperformed, like comparing different retention periods) or in asemi-automated way. For example, the RCC module may compare the triggerevents of retention rules and may not be able to compare them to thepolicy trigger event. In such case, the RCC module may trigger aworkflow for an authorized user to review the conflicting requirementparameters and provide legal interpretation, to close the cross-check ontrigger further corrective action.

Within each category of requirement, the RCC module 26 also consolidates54 the sum of all requirements (not just the controlling ones) to alloweasy review and evaluation of the compromise that were made between thepolicy requirement and the sum of all requirements that were applicablein that context.

Cross-check the geographic region and jurisdiction 52 associated to thepolicy and its related legal references to detect inconsistency thatcould uncover human errors.

The foregoing descriptions of specific embodiments of the presentinvention have been presented for purposes of illustration anddescription. They are not intended to be exhaustive or to limit theinvention to the precise forms disclosed, and obviously manymodifications and variations are possible in light of the aboveteaching. The embodiments were chosen and described in order to bestexplain the principles of the invention and its practical application,to thereby enable others skilled in the art to best utilize theinvention and various embodiments with various modifications as aresuited to the particular use contemplated. It is intended that the scopeof the invention be defined by the Claims appended hereto and theirequivalents.

1. A computer-implemented system for defining and justifying policyrequirements, comprising: a hierarchical regional mapping (HRM) modulethat provides a common language and a hierarchical model for geographyand for jurisdictions; a legal references library (LRL) module thatcontains applicable legal references; a legal references policy mapping(LRPM) module that maps legal references to policies; and a requirementscross-checking (RCC) module that cross-checks information in the legalreferences policy mapping module.
 2. The system of claim 1 wherein thelegal references policy mapping (LRPM) module provides for creating andmaintaining a list of legal references that apply to a given policy. 3.The system of claim 1 wherein the legal references policy mapping (LRPM)module provides for identifying which type of requirement for a givenpolicy is influenced by a given legal references
 4. The system of claim1 wherein the legal references policy mapping (LRPM) module provideswhich of the legal references are to be controlling for a given policy.5. The system of claim 1 wherein the requirements cross-checking (RCC)module provides for creating and maintaining a model of the dependenciesand compatibility between structured parameters used to describe eachcategory of requirements.
 6. The system of claim 1 wherein therequirements cross-checking (RCC) module provides, within each categoryof requirements, consolidation of all controlling requirements andcomparison of THEM to a policy requirement using an understanding of therelationships between parameters and options.
 7. The system of claim 1wherein the requirements cross-checking (RCC) module provides, withineach category of requirements, consolidation of the sum of allrequirements to allow easy review and evaluation of the compromises thatwere made between the policy requirement and the sum of all requirementsthat were applicable.
 8. The system of claim 1 wherein the requirementscross-checking (RCC) module provides cross-checking of a geographicregion and jurisdiction associated with a policy and its related legalreferences to detect inconsistency that would uncover human error. 9.The system of claim 1 wherein the hierarchical regional mapping (HRM)module provides representation of the different jurisdictions andsub-jurisdictions that an organization operates in and representation ofregulatory or governing bodies within the different jurisdictions. 10.The system of claim 1 wherein the hierarchical regional mapping (HRM)module provides an explicit naming/referencing scheme in which nodes arespecified by a hierarchical path.
 11. The system of claim 1 wherein thelegal references library (LRL) module provides for each legal referencea geographic region or jurisdiction that the reference applies to asdefined by one or more nodes within a hierarchy defined by the HRMmodule.
 12. The system of claim 11 wherein the legal references library(LRL) module provides for each reference a classification tag thatreflects the source of a requirement and the domain of application ofthe requirements within the organization.
 13. The system of claim 12wherein the domain of application includes one or more of the following:preservation requirements, retention, data privacy or securitydesignations.
 14. The system of claim 12 wherein the domain ofapplication includes a level of risk associated with non-compliance. 15.The system of claim 12 wherein a requirements definition includes one ormore of the following: retention rules, disposal protocols, handlingprotocols, storage protocols, and transport protocols.
 16. The system ofclaim 11 wherein the legal references library (LRL) module includesreferral to related legal references.
 17. The system of claim 1 whereinthe legal references library (LRL) module is provided with full searchcapability.
 18. A computer-implemented method for defining andjustifying policy requirements, comprising the steps of: mapping in ahierarchical regional mapping (HRM) module to provide a common languageand a hierarchical model for geography and for jurisdictions; providinglegal references library (LRL) module that contains applicable legalreferences; mapping legal references to policies in a legal referencespolicy mapping (LRPM) module; and cross-checking in a requirementscross-checking (RCC) module information in the legal references policymapping module.